FreeSCIM Users | SCIM Lifecycle And FreeIPA Active State

User operations

Focus on lifecycle transitions: onboarding, profile and manager changes, entitlement drift, and deactivation must remain deterministic to avoid permission drift across Okta and FreeIPA.

Operational details

Track source IDs, FreeIPA-safe uid values, and reconciliation timestamps per user.
Separate soft deactivation from hard deletion with explicit retention rules.
Validate required attributes before propagation to downstream systems.

Quality checks

Use idempotency tests for repeated operations to confirm no duplicate role assignment or access grants.

Lifecycle state matrix

Transition	Source of truth	System effect
active=true	Okta SCIM intent	Provisioned or enabled FreeIPA-backed identity
active=false	Okta deactivate	Account lock / disable behavior with repeat-safe replay
userName change	Directory drift check	FreeIPA-safe uid normalization with audit diff